skip to main content
10.1145/2661694.2661699acmconferencesArticle/Chapter ViewAbstractPublication PagesfseConference Proceedingsconference-collections
Article

Automated detection and mitigation of inter-application security vulnerabilities in Android (invited talk)

Published: 17 November 2014 Publication History

Abstract

Android is the most popular platform for mobile devices. It facilitates sharing data and services between applications by providing a rich inter-application communication system. While such sharing can be controlled by the Android permission system, enforcing permissions is not sufficient to prevent security violations, since permissions may be mismanaged, intentionally or unintentionally, which can compromise user privacy. In this paper, we provide an overview of a novel approach for compositional analysis of Android inter-application vulnerabilities, entitled COVERT. Our analysis is modular to enable incremental analysis of applications as they are installed on an Android device. It extracts security specifications from application packages, captures them in an analyzable formal specification language, and checks whether it is safe for a combination of applications - holding certain permissions and potentially interacting with each other - to install simultaneously. To our knowledge, our work is the first formally-precise analysis tool for automated compositional analysis of Android applications.

References

[1]
android-apktool - a tool for reverse engineering android apk files. https://code.google.com/p/android-apktool/.
[2]
Au, K. W. Y. et al. Pscout: Analyzing the android permission specification. In Proc. of CCS’12 (2012).
[3]
Bugiel, S. et al. Towards taming privilege-escalation attacks on android. In Proc. of NDSS (2012).
[4]
Chin, E. et al. Analyzing inter-application communication in android. In Proc. of MobiSys (2011).
[5]
Dietz, M. et al. Quire: Lightweight provenance for smart phone operating systems. In Proc. of USENIX (2011).
[6]
Enck, W. et al. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proc. of USENIX OSDI (2011).
[7]
Enck, W. et al. On lightweight mobile phone application certification. In Proc. of CCS (2009).
[8]
Fragkaki, E. et al. Modeling and enhancing android’s permission system. In Proc. of ESORICS (2012).
[9]
Hornyack, P. et al. These aren’t the droids you’re looking for: Retrofitting android to protect data from imperious applications. In Proc. of CCS (2010).
[10]
Jackson, D. Alloy: a lightweight object modelling notation. TOSEM 11, 2 (2002), 256–290.
[11]
Shabtai, A. et al. Google android: A comprehensive security assessment. Security & Privacy, IEEE 8, 2 (2010), 35––44.
[12]
Valle é-Rai, R. et al. Soot - a java bytecode optimization framework. In Proc. of CASCON’99 (1999). Introduction Approach Overview References

Cited By

View all
  • (2015)IccTAProceedings of the 37th International Conference on Software Engineering - Volume 110.5555/2818754.2818791(280-291)Online publication date: 16-May-2015
  • (2015)IccTA: Detecting Inter-Component Privacy Leaks in Android Apps2015 IEEE/ACM 37th IEEE International Conference on Software Engineering10.1109/ICSE.2015.48(280-291)Online publication date: May-2015

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
DeMobile 2014: Proceedings of the 2nd International Workshop on Software Development Lifecycle for Mobile
November 2014
18 pages
ISBN:9781450332255
DOI:10.1145/2661694
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 November 2014

Check for updates

Author Tags

  1. Android
  2. Mobile Security
  3. Program Analysis

Qualifiers

  • Article

Conference

SIGSOFT/FSE'14
Sponsor:

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)1
  • Downloads (Last 6 weeks)0
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2015)IccTAProceedings of the 37th International Conference on Software Engineering - Volume 110.5555/2818754.2818791(280-291)Online publication date: 16-May-2015
  • (2015)IccTA: Detecting Inter-Component Privacy Leaks in Android Apps2015 IEEE/ACM 37th IEEE International Conference on Software Engineering10.1109/ICSE.2015.48(280-291)Online publication date: May-2015

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media